ECRI Institute, one of the leading patient safety and medical technology research organizations, places health technology cybersecurity at the top of its just-released 2019 Top 10 Health Technology Hazards.
Asset disposal: don’t allow unecessary risk
The incidence of data breaches is on the rise. It seems that public and private sector organisations are left embarrassed because they’ve suffered a ‘cyber-attack’ and there is a predisposition for most readers to assume these issues are as a result of a highly sophisticated attack on our networks.
The reality in many cases is very different and in a recent survey by Big Brother Watch they listed the top 10 data breaches suffered by HMG and nine of the 10 were nothing to do with ‘cyber’ – they were basic human error or process failure.
So whilst the press (and security industry) waxes lyrical about the need for increased cyber defences, most government departments and businesses as a whole need to pause for breath and take stock of the situation they currently find themselves in. There are a whole array of very basic vulnerabilities which exist and require very little expertise to exploit that need addressing.
Areas such as staff training and awareness, physical security, hardware configuration, third party management and data governance are all critical within the overall effort to protect data. Solid foundations need to be put in place in all of these areas and initiatives such as the DP Governance method are beginning to help organisations understand what to do rather than looking at ISO certifications or cyber essentials which only go so far.
One such area of continued poor performance is ICT asset disposal. In the same Big Brother report, the health sector’s ICT disposal featured as two of the 10 top data breaches. So what is the problem? Why does a seemingly innocent and simple business process go wrong? Before I attempt in this short space to shed some light on this process I must first start with addressing the importance of changing the perception of ICT disposal.
Within the NHS I’ve seen Informatics and IT teams treat retired ICT assets as nothing more than door stops. I’ve personally inspected equipment left in a public corridor all still holding data and in another trust I’ve seen a publicly accessible fire exit stairwell used as a storage area.
Furthermore as the industry looking to win business from this sector we see on an on-going basis an enormous indifference to the seriousness of the process. Tenders coming out with little service specification and with the majority of the weighting being on price. We constantly see RFPs being released with only cursory equipment lists and then a request for ‘best bids’.
Some tenders are embarrassing as the authors clearly have no knowledge of the process and use terminology incorrectly making the submission literally impossible to comply with. All of this from a sector which holds the highest volume of the most sensitive personal data available.
So for any organisation looking to manage risk within ICT disposal they must first change their perception. Their partners are not IT dustmen, they perform an essential part of the effort to protect data. Once this process is looked at in a different light it will be seen that whilst there are risks throughout, they can be neatly categorised into three key areas.
With inventory list accuracy ranging from 60-80 per cent for equipment on the network it can hardly be surprising that when ICT asset disposal companies come to collect equipment it is often done so after a request such as ‘we have a van full’ or ‘I’ve got a few bits’. Sometimes an inventory list is provided but is virtually a work of fiction and bears no resemblance to the actual assets ready for collection.
So why is this important? An inventory list is essential if the releasing company is going to have any hope of showing control over the process. How can the chain of custody be shown to exist through various internal stages and therefore mitigate the likelihood of internal and external theft? For those organisations who comfort themselves with ‘certificates of destruction’, ‘waste transfer notes’ or even ‘audit documents’ I would suggest that this is cold comfort. After all, how can you evidence that all of your items have been processed when you don’t even know what you released?
Most organisations will engage with a third party to perform these services (recent FOI studies show this to be over 90 per cent). As such how this partner is selected and managed is an imperative part of this process. Vendor selection is perhaps the greatest concern in this sector. The industry itself is highly competitive and historically has done very well out of organisations seemingly happy to just give old infrastructure away. However, this has significantly changed in the past few years and with the exception of companies who offer ICT disposal as part of a portfolio of IT services, it is extremely difficult to offer these services for free without absolute guarantee over the volume and quality of equipment. Why? The second user market has become far less buoyant for older technology and commodity pricing has decreased significantly in the past 12 months.
This has meant that the recycling value of equipment is about 30 per cent of the level where it was previously. It makes sense therefore that if the resale value is lower, the material value is lower and the type, quality and age of equipment unknown then no one can be absolutely assured that they can cover their costs from a collection.
Hopefully it can be seen that to base selection just on price in a highly competitive market is a questionable strategy. It’s interesting to note within the ICO’s NHS Surrey (£200,000 fine) penalty notice that they specifically make mention of poor vendor selection and this incident should be used as a case study for others.
In 2012, the ICO released some guidance notes for this process but even though these notes are clear and simple to follow our recent FOI studies were able to show on average that over half of the respondents do not currently meet legal requirements when disposing of ICT assets. The most critical area where organisations fail is to not have a contract in place and to not audit their partners.
At the Asset Disposal & Information Security Alliance (ADISA) we have carried out over 200 audits within this sector and I think we can speak with some authority that without constant auditing even the very best operators can allow normally rigorous processes to slip. Outside of our certified members we’ve seen all sorts of practices such as issuing of certificates of data destruction before equipment is processed, down streaming of equipment to other service providers, auctioning off of equipment which is of low spec or not financially viable to repair and the use of all sorts of curious data over writing tools in use.
Remember, EA licences and exemptions only refer to the environmental handling of assets not data security. Furthermore, ISO 27001 can be scoped such that the service provision falls outside of the audit regime. We have seen many examples where the ISO certification is literally nothing to do with the service being offered and so offers no guarantee of service quality.
I think we all know that delete doesn’t work but organisations are still taking little responsibility when it comes to dictating what tools should be used on their data carrying media. The technical solution can get even more confusing when there are occasions that a CESG-approved software overwriting tool might give a ‘pass but with exceptions’ and generate the report. Those exceptions generally are not easily accessible to a user and require forensic recovery but unless the releasing company dictates the behaviour you are leaving your vendor to make those types of decisions (we are doing a research project on this very issue this month).
Earlier on this year in conjunction with the University of South Wales we did a study into the factory reset commands on smartphones. We were able to show on some Apple iOS and Blackberrys that this reset command worked but on Android handsets it typically did not! For any organisation now using solid state media they need to be aware that there are no government approved software overwriting tools. Furthermore, many destruction tools don’t actually impact on the storage element of the media itself (the NAND cells) so some traditional drilling or punching process may not work.
So how to manage risk?
My intention was not to try to write a piece on ‘fear uncertainty and doubt’ but moreover to try to highlight that this seemingly simply process of ICT Disposal is a critical part of the data protection and information security process. The easiest way of managing risk is to simply engage in this process in a more intellectual way. Have an inventory of equipment which is being released. Release it to a professional company who holds relevant certification (such as ADISA), contract with that company and include a detailed service specification, and finally, audit them. (Or if you don’t want to, sign up to the free monitoring service offered by ADISA and get copies of our independent audits to arrive on your desk). The solutions are out there and there are ways of meeting all different types of budget. Any ADISA member will be able to help you better understand what a sensible process would be and what the best technical solution is. So don’t allow unnecessary risk, work with your ADISA partner and rest assured that asset disposal doesn’t have to be a risky business.